Metasploitable/Apache/Python
From charlesreid1
Apache vulnerabilities by version: https://httpd.apache.org/security/vulnerabilities_22.html
Recon
Nikto
Nikto is a web server vulnerabilities scanner. It provides an excellent starting point for recon and for determining next steps. We'll use it to gather information about vulnerabilities in Metasploitable's web servers.
Basic usage of nikto: https://cirt.net/nikto2-docs/usage.html
# nikto -h 10.0.0.27
This reveals a number of web server vulnerabilities, both through Apache and through other things like PHP:
root@morpheus:~/codes/nikto# nikto -h 10.0.0.27
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.0.27
+ Target Hostname: 10.0.0.27
+ Target Port: 80
+ Start Time: 2016-03-27 13:07:26 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output from the phpinfo() function was found.
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec 9 09:24:00 2008
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ /phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>: Output from the phpinfo() function was found.
+ /phpinfo.php?cx[]=mjpaEzhPVxNxLefyhCCDNnEWM0owXVGpquGiZ0ofAhVR3ltaiOqM3vl0u7qNYTlIfDj6SKXBN8BwCqDjBfuP2KqQ4KaBjeUhacOPF2se7aP66we1EBUM5ushoPBgNWaET0YmA7XNKFXgUnbpNGRGgy41wsMeaA3x1rPmWtMMq0aCS8dklMIplLb3PBMDpGfv1lHJjESTkpKcLI49kYE2IYkavCSKM6nTwEW90YIWMqvTzgvZEp6q4IJe4a0x9JExYzICrQ9xdh5jsi613pwdcgtxhSk05aeMxFqd2ZBkN3pHBQVitJ72ocrS8kfGbAZeupfQLjdVbDPcJrNEauLk5AjK8XqVeHVUFDh9pAsx6wChuYH39g3cZrkdG3erDZ0ZDtNzoPGc4p7oppA8x0nTv0dWQRknvLK5Kc6jhw0HTFeMYvl3aYbnMbLQ3IyUcK940yADWu9eetrJ5bjz8unxNMBZkfUerllnJYe5jBPs2ZlMA0LCtOHpb3D5sG14QxBU9gqWUcSE59Hjjp2OSKp5eSD7z7CGaobpJeaAMhVZgrOidPECGsUHmhyKG3lfM9ntlKDdloX32eGmQG0vBQATYI1IMJNQ27tXmOaqIqlsEkjR6p6ATlHCNxr4JMSMKVT4rTq3JXHzvUNxd3TojbvjmginOJbxzEdPjpdWAwfAkCDW02x6qXhgd7fPYQS1wowg9wk3bu8vmeSvuGmRITHAef9dQDAsrGrT9U6pZT4zumgxDAMw3g5fAj4RpUKyAeD5s10oLKYtqGrDtWLDZu4NNH8tjqWpZDTwrbROFn0bCo88nHsLmu1Zy6mK91IAerLAjcfvgiAws192OAaVMHSgvKve2tsWLYL31WoAS4KbZrHO77DAncU4V0yFkIFGIL1sBgi7YBtI9omQLiBDtFH0hCvCENf8nFKND0nJMxsSmahEBnHWssbUBgKH2hiJQqQ3lfiqV7MSzGbKPnAVGkPBZTEZklVKG6sXHInhl2Z4XNxlGAsDtqSJDdO9IgraCWQA8u7BgO9yI7zFVMQX5XPcb4tACJFs83U9oEjMl9j9JNl69yAe51PHxYEnAlGlkr8EQvlzVRSil6NUGjlZkaoP1moiE9tvp2kP1y0dyEmrPOMPyf9cv34kXiLyyhgkIZDRA4yVtBbaan5iVbxAmYoVxDUHzxAweSihxxb9pwQTlXutvjDmkmFdoLX2bf8PykQRSvRflMUr7hCOzITcXbfc3LXrdYiyxsZCpuw0FlCUffaEZXTwFnyTo9vF0pokjMOB8eDubZgF3rCeFkAYp3uAV5DNXkRtTPO8GS7JwS3uFmqC98HnyUM3S5ix5CPGepdGlGBNvlXTuzOgFNAHDbABtg4pZgPt0t7ZgA7EPSQBkAOkaQfEx51XHZuSNyQHwxTb3g1sFwC9NA7J0KP9lB2UheBqDgtWFUpVB9xzFeSNl36SsK7xEHc4s9ckSXv6RkyztLh7TThgzZA9WoMCDaI4zubK4cwyUryrncy84cy69fS766nmuCu2FaCfG8XO9KCZ4QCkN4iL8pwqzwbDHdpAXE2FhQcAhgm9FbKr77faJHjxyOUrBCyR3BgxMS4lwLvC9WbcZxscvvZXaK28QuJgodAE6TqrwJrhhgSUa7Wz8XfsxP9i8mVf9SusKmawzM3vQhgtXEfDr3pOI2SyN86GsyBnP8hBtWhEfAFmolkxaRqnhLR0JGOm9pkW9ujqSiaslePGhQyoPiwjLmgy9fc3IdC4GLQy8xuDJC2pBaWJqX8CTLlVE1WIW0tVVtxCHPPiiPlGW7r1fxzLqNyDboqfvsA3S94h3IqC4Wr6aQErthWd4ALwcjRmwzB5Pzyy38flxHGl4HjCS1KuKFThRxO4T1LBII4HYBZw5byFpkqTmjN643MBjQnfzTULk8xmSzh52ZuCO29gy1N5d8se3a4PQ5WW34DzFMIFHa7L6nfYjafqRzuFrEe0hVQbzUhIySbd6NHGt1gOba1XBSYU7GZ9MFODVtWx643SInaKbRnZNa8hv5tCKV3Lp6eRHAz4H0xLOIfsVpZQi4p406vnB3TZb1C4uvvvLCZOUHjjQmPUDtduY7dAsOEmGYthqAN87moEJB8mgzU0Vd5WbLpcjCBXEx5lbUxakcMzmhulQ33EA6oQWeLatrlOnaaSN3Lz4cMoRLFjHs8qHZYX58BPvjrR4CAf9PhRuL7x2QN3UGWJ29Rt5wyOk8NV6xOcddUUIml0O82SLLStg4LRFq36s2Bt65vGUcRC7cmsBZFhE149XjNqqCztf0TeYvSlMTxMX8jikW1RDsqPL20xXUC3ddHCSE08hqfACwaOv1fbwn7ycv1E4IHsAzWaUI7DPgypltIiTy2XPo3FOcBYo4USCNEuXFOvwftrxZgngQ325tExTXc29XpIrTbwb04AFYffppL1IqqO6qAbyJuDj8GhvfH7AcsdOY7orPy667RnAv2jhm0VW6A5zOw3luS6IktY3MBoZyWaEsMj0ZxRQNe0j6Pf9hFuQR783WocLLRkJvIzBqMEoiF8vnlthYfRHVWEo5dtfYwrp0kNI9IHSegzMsekPp0TMLEgD0cswD1eDUEEmtftKi3RVITzwDQ3hoTgJJEW7BmpMTWoy2xUtmLkWTfRFnRer5sNzJeSztLxcn3QPBDJsLH2lWDGRQLiLqUlLppOhh6bxazlQeLflgmLtFoTGesvHVg0fvGuB6TSAXn3LIVbsW0vWuZicqiQf75W6QbpBartWpccLpgVHZN070ISqBrj7tCyd50tBRDo2iwHmatJvrYRKBf4DX10NtnS4FPAGdO4a3wLRXgtizEBwPnGDdpkYIMJwKqrVjaqPmhOxoIfVrymZ2RTNt5P6aa7Czqau4szXe7o1SICJapzbyrRdETdhkZ9lyQ8Ca9lCa8pnTiHv2h7LaQprlG3bEcxBRUIj7JlwGQpsL1I2EDFKg2itltBlQYsSSOb2xHBYX97RvlDHObrTatDhrUjupDSjZAt1KxOHWkYahV8ukzXx8BSyXetk3IupiVdDjtc5sg4SR0I7LRx6ziS4xJxbssUaCbzo39VjOTZtHG5DVNxfXzCcLpDeIlzLxlf0V6cRuI1o5iG4oUonXhX0UmFDf4UKF2vYvdQV8CnVMyBANkz2a4ZDxhD4pu7PSDejdRCcQNI2O5tD4x0B4izdjGAiy8l2RsVS84ZCGLClPpRFtMELPamUxjKdKFqyDPUJHuBrlMvJpsBOEqDsZSZH39iHUMTVmus5Ocgfmdrg6DE8nXft83SeMFj9L8MX2KWoZoFhaeiJpePToUEyD41luJnK3PxVFS3SO0uNLwTsor9gQwwb0IvKwJkmBKMxbxant2oFpoyNjM1dZhhPBJ5kxfGgIv8cRarvDVe1MQvQS7XHk5lUUIjx97dsoiWWtwj5iAh92WLMu3i51uRa5WLDJUeNLh3MZeL85yGoBlSzcSkWSpBS7mYM4OVGtXsJ1iLOvKOnNZ4etVrWvZejeJl0d2sElZ67KTE6BiYdYSnoRCKeYUJ7ZUGd4xbuL4mDCWFvA1SWJf5unIzONRkYx3QTgdzcxbPLtXnjQ3C3zF9gNgCwprr8Cf3SOvaxr2LPDIhX11khDx3QGXVWKebeGW9UTtmp7JRpdjkYqjimNypaf2mTBiQYMJy7CddNQFyyqNA0o6S6Wyd19y7QYR1bx2noKQ0CxJJ8fpMu7jLqEjQhRgC15qEwZaXHuHV1EB55Sl7esk9NQKuX8Wsly1HNndFcfcmDjyISJZOL4Has29vh0dM2cXKTUgcmmUunj5nJaS1GDz9fyCeJWMD8TFi7rB0RZel0ti6bFXvypas4bGFZpjNBa1Xm29nvGmdnGWnhRLvYKUMWXauQGDAoON9AENsSpMCvpiEeZEwb5AaRk0ab2z87eD4cvc5885o4VMxCb6jFSgG5qBhFa7DHT3TFEhxlIkA0T6f37bGxUcrlJXTJ6g5rh2b4fbY7EIjqKxHyCMCNDmujSlgba8UiaDSQ27VLWOvwnvV5xf4gSb89PPvZxPfxrb9vqvtDL0B0Ie80FJaFzMZk9fCWTtXtXsVDUZn8qF1qwV1NOX8<script>alert(foo)</script>: Output from the phpinfo() function was found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8329 requests: 0 error(s) and 29 item(s) reported on remote host
+ End Time: 2016-03-27 13:08:29 (GMT-7) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
The following vulnerability identified by Nikos is exploited on the Metasploitable/Apache page:
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
Python Attacks
This page covers some techniques for abusing the Apache server on the Metasploitable machine using Python.
SlowLoris DoS Attack
SlowLoris that opens a (large) fixed number of connections to send a payload of a specified size, then proceeds to twiddle its thumbs.
Slowloris is basically an HTTP Denial of Service attack that affects threaded servers.
We start making lots of HTTP requests.
We send headers periodically (every ~15 seconds) to keep the connections open.
We never close the connection unless the server does so. If the server closes a connection, we create a new one keep doing the same thing.
This exhausts the servers thread pool and the server can't reply to other people.
This is the computer networking equivalent of when you go to the bank, and just before you get to the teller window, a little old lady with a giant sack of pennies says "I'd like to deposit $573 in pennies. 1... 2... 3... 4... 5..." Except, an army of old ladies showing up in front of every teller window.
Slow Death Script
https://github.com/evert/slowdeath
This is a Python script that implements the SlowLoris attack with a fixed number of threads opening connections with the web server. This will completely swamp, e.g., an Apache server on a single machine.
slowhttptest
See the section below about slowhttptest for a nicer frontend with more options. What is covered below is some simple and straightforward Python.
Before
Here's what you should see before the attack when you punch in the IP address of the Metasploitable machine:
(Note that here the machine is at 192.168.56.101 - a set up that corresponds to creating a host-only network adapter for the VirutalBox. That means we'll be creating a network and only virtual machines on the host computer will be able to see the network.)
Running
To use slowdeath:
# python slowdeath.py -t 200 http://192.168.56.101
This will open 200 simultaneous connections and send data very, very slowly over those 200 connections.
During/After
This swamps the server temporarily, and anyone visiting 192.168.56.101 in the browser will experience a denial of service:
This will continue to open new connections as existing connections die:
Once the attack is killed, everything is back to normal.
Kill Apache DoS
In 2011 a vulnerability was released related to Apache. By sending requests with a specially crafted header, an attacker could swamp a web server's CPU and memory and crash it, leading to a denial of service. This vulnerability was released in 2011 (CVE-2011-3192).
There is a perl version of this code called killapache.pl here: http://www.hackersgarage.com/apache-killer-denial-of-service-flaw-in-apache-webserver.html
There is a Python version of this code here: https://github.com/MaYaSeVeN/KillApachePy
However, the version of Apache on Metasploitable (2.2.8) is too old to be vulnerable to this exploit.
Command-Line Utility Attacks
slowhttptest
This one's pretty straightforward. Download and install slowhttptest:
# apt-get install slowhttptest
This comes bundled with multiple utilities for multiple types of DoS attacks:
- Slow POST mode (sends unfinished HTTP message bodies)
- SlowLoris mode (sends unfinished HTTP requests)
- Range header mode (tests the killapache vulnerability, mentioned above, which Metasploitable is not vulnerable to)
- Slow Read mode (reads HTTP responses slowly)
SlowLoris DoS Attack
To use the SlowLoris denial of service attack and open a bunch of idle connections with a web server, use the -H flag.
# slowhttptest -H -u http://10.0.0.27
The -u flag specifies the URL of the target. However, we'll want to spice it up a bit more - specify a thousand connections -c 1000, and a few other parameters -i 10 for interval between two tests, -r 200 for 200 connections per second, -t GET to make these requests GET requests (keep it simple).
The -x 24 flag sets a cap on the amount of data sent, chunk-by-chunk, to the web server. -p 3 marks the server as DoS'ed if it doesn't respond after 3 seconds.
# slowhttptest -H -c 1000 -H -i 10 -r 200 -t GET -x 24 -p 3 -u http://10.0.0.27
This strangles the web server. Here's what it looks like when the Metasploitable machine is under attack:
and here's what it looks like once the attack has been stopped:
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|